According to the report, the largest federal agencies spent 90 percent of their IT security costs on personnel, about 5 percent on cybersecurity tools, 3 percent on developing risk-based security programs and about 1 percent each on testing IT security and training personnel, according to the report. That’s an overall increase from the total $13.3 billion agencies spent on cybersecurity in fiscal 2011.

“While a number of agencies are clearly on the right path, more steps need to be taken to enhance the overall federal government’s information security management,” Sen. Tom Carper, D-Del., said in a statement.

“Federal agencies need to fully implement meaningful security programs that can withstand the serious cyber challenges we face today and will face for the foreseeable future,” he said.

Some agencies, such as the Office of Personnel Management, have improved their ability to automate security checks of their networks, detect vulnerabilities through agency-sponsored security or penetration testing and ensure network traffic is routed through secure Internet connections. But a number of agencies, including the Veterans Affairs Department, are failing to encrypt emails and detect and block unauthorized software from uploading and crippling their networks and systems, the report found.

Agencies said the top challenges impacting cybersecurity include:

 Funding the administration’s priority initiatives, such as continuously monitoring their systems for vulnerabilities and fixing them.

 Cultural challenges.

 Upgrading legacy systems to support new technology capabilities.

 The current budget structure, which funds information technology and cybersecurity by programs.

 Acquiring skilled staff.

Last fiscal year, agencies reported 90,433 full-time positions with major responsibilities in information security. Of those, 67 percent are government employees and 33 percent are contractors.

The Defense Department reported about 80,000 federal and contractor cyber professionals, compared with agencies such as the Department of Homeland Security, which reported having only 1,000 full-time IT security positions.

Despite DHS’s charge to defend civilian, unclassified networks and critical infrastructure against cyber attacks, the department lagged behind the Treasury Department and Social Security Administration in terms of federal positions and total security workforce.